It sounds so weird (the dependendce of the behaviour on the network/country in which the client is connected) that it would need a log:
/system logging add topics=ipsec,!packet
/log print follow-only file=ipsec-start topics~"ipsec"
and then, while the last command is running, try to log in the client which doesn't work. After the login fails, stop the /log print ...
, download the file and try to find the answer there. If you can't, follow the suggestion in my automatic signature for obfuscation of the IP addresses before posting the file here.
However, it may all be much simpler if you use the two client devices at the same time in the same network, because there is the common issue with L2TP/IPsec inability to deal with two clients connecting from behind the same public IP address to the same server. There is a solution to that issue
but it is not exactly simple.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.